A new ransomware operation called Cactus has been exploiting vulnerabilities in VPN appliances for initial access to networks of “large commercial entities.”
The Cactus ransomware operation has been active since at least March and is looking for big payouts from its victims.
While the new threat actor adopted the usual tactics seen in ransomware attacks – file encryption and data theft – it added its own touch to avoid detection.
Encrypted configuration twist
Researchers at Kroll corporate investigation and risk consulting firm believe that Cactus obtains initial access into the victim network by exploiting known vulnerabilities in Fortinet VPN appliances.
The assessment is based on the observation that in all incidents investigated the hacker pivoted inside from a VPN server with a VPN service account.
What sets Cactus apart from other operations is the use of encryption to protect the ransomware binary. The actor uses a batch script to obtain the encryptor binary using 7-Zip.
The original ZIP archive is removed and the binary is deployed with a specific flag that allows it to execute. The entire process is unusual and the researchers that this is to prevent the detection of the ransomware encryptor.
In a technical report, Kroll investigators explain that there are three main modes of execution, each one selected with the use of a specific command line switch: setup (-s), read configuration (-r), and encryption (-i).
The -s and -r arguments allow the threat actors to setup persistence and store data in a C:\ProgramData\ntuser.dat file that is later read by the encryptor when running with the -r command line argument.
For the file encryption to be possible, though, a unique AES key known only to the attackers must be provided using the -i command line argument.
This key is necessary to decrypt the ransomware’s configuration file and the public RSA key needed to encrypt files. It is available as a HEX string hardcoded in the encryptor binary.
Decoding the HEX string provides a piece of encrypted data that unlocks with the AES key.
“CACTUS essentially encrypts itself, making it harder to detect and helping it evade antivirus and network monitoring tools,” Laurie Iacono, Associate Managing Director for Cyber Risk at Kroll, told Bleeping Computer.
Running the binary with the correct key for the -i (encryption) parameter unlocks the information and allows the malware to search for files and start a multi-thread encryption process.
Kroll researchers provided the diagram below to better explain the Cactus binary execution process as per the selected parameter.
Ransomware expert Michael Gillespie also analyzed how Cactus encrypts data and told BleepingComputer that the malware uses multiple extensions for the files it targets, depending on the processing state.
When preparing a file for encryption, Cactus changes its extension to .CTS0. After encryption, the extension becomes .CTS1.
However, Gillespie explained that Cactus can also has a “quick mode,” which is akin to a light encryption pass. Running the malware in quick and normal mode consecutively results in encrypting the same file twice and appending a new extension after each process (e.g. .CTS1.CTS7).
Kroll observed that the number at the end of the .CTS extension varied in multiple incidents attributed to Cactus ransomware.
Cactus ransomware TTPs
Once in the network, the threat actor used a scheduled task for persistent access using an SSH backdoor reachable from the command and control (C2) server.
According to Kroll investigators, Cactus relied on SoftPerfect Network Scanner (netscan) to look for interesting targets on the network.
For deeper reconnaissance, the attacker used PowerShell commands to enumerate endpoints, identify user accounts by viewing successful logins in Windows Event Viewer, and ping remote hosts.
The researchers also found that Cactus ransomware used a modified variant of the open-source PSnmap Tool, which is a PowerShell equivalent of the nmap network scanner.
To launch various tools required for the attack, the investigators say that Cactus ransomware tries multiple remote access methods through legitimate tools (e.g. Splashtop, AnyDesk, SuperOps RMM) along with Cobalt Strike and the Go-based proxy tool Chisel.
Kroll investigators say that after escalating privileges on a machine, Cactus operators run a batch script that uninstalls the most commonly used antivirus products.
Like most ransomware operations, Cactus also steals data from the victim. For this process, the threat actor uses the Rclone tool to transfer files straight to cloud storage.
After exfiltrating data, the hackers used a PowerShell script called TotalExec, often seen in BlackBasta ransomware attacks, to automate the deployment of the encryption process.
Gillespie told us that the encryption routine in Cactus ransomware attacks is unique.Despite this, it does not appear to be particular to Cactus as a similar encryption process has also been adopted recently by the BlackBasta ransomware gang.
At the moment there is no public information about the ransoms that Cactus demands from its victims but BleepingComputer has been told by a source that they are in the millions.
Even if the hackers do steal data from victims, it appears that they have not set up a leak site like other ransomware operations involved in double-extortion.
However, the threat actor does threaten victims with publishing the stolen files unless they get paid. This is explicit in the ransom note:
Extensive details about the Cactus operation, the victims they target, and if the hackers keep their word and provide a reliable decryptor if paid, are not available at this time.
What is clear is that the hackers’ incursions so far likely leveraged vulnerabilities in the Fortinet VPN appliance and follow the standard double-extortion approach by stealing data before encrypting it.
Applying the latest software updates from the vendor, monitoring the network for large data exfiltration tasks, and responding quickly should protect from the final and most damaging stages of a ransomware attack.